b'INFORMATION SECURITY PROGRAM\n\n     Department of Transportation\n\n      Report Number: FI-2005-001\n      Date Issued: October 1, 2004\n\x0c           U.S. Department of\n                                                   Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                  Date:    October 1, 2004\n           Program, Department of Transportation\n           FI-2005-001\n\n  From:    Alexis M. Stefani                                   Reply to\n                                                               Attn. of:   JA-20\n           Principal Assistant Inspector General\n             for Auditing and Evaluation\n\n    To:    Chief Information Officer\n\n           This report presents the results of our audit of the information security program at\n           the Department of Transportation (DOT). Responding to the Federal Information\n           Security Management Act (FISMA) of 2002, our audit objectives were to (1)\n           assess DOT\xe2\x80\x99s progress in correcting weaknesses identified in last year\xe2\x80\x99s FISMA\n           review, and (2) provide input to DOT\xe2\x80\x99s annual FISMA report by answering\n           questions specified by the Office of Management and Budget (OMB). Our input to\n           DOT\xe2\x80\x99s annual FISMA report is in Exhibit A.\n\n           This year, we tested a subset of DOT systems that had undergone system security\n           certification reviews to determine whether DOT has complied with Government\n           standards in assessing system risks, identifying security requirements, testing\n           security controls, and accrediting systems as able to support business operations.\n           In addition, we reviewed the reasonableness of DOT\xe2\x80\x99s continued reduction of\n           computer systems in its inventory (from 630 to 485) during fiscal year (FY) 2004.\n\n           Our review was conducted in accordance with Government Auditing Standards\n           prescribed by the Comptroller General of the United States. Our scope and\n           methodology are described in Exhibit B.\n\n           INTRODUCTION\n           FISMA requires Federal agencies to identify and provide security protections\n           commensurate with the risk and magnitude of harm resulting from the loss of,\n           misuse of, unauthorized access to, or modification of information collected or\n           maintained by or on behalf of an agency. Because DOT maintains one of the\n           largest portfolios of information technology (IT) investments of Federal civilian\n\x0c                                                                                                                       2\n\n\nagencies, it is critical that DOT protects its systems and sensitive data.                                            In\nFY 2004, DOT\xe2\x80\x99s information technology budget totaled about $2.7 billion.\n\nDOT has 12 Operating Administrations (OA) (listed in Exhibit C) with\n485 computer systems. DOT is also responsible for operating the air traffic\ncontrol system, which has been designated as part of the Nation\xe2\x80\x99s critical\ninfrastructure by the President (Homeland Security Presidential Directive\n7, December 2003). DOT systems include safety-sensitive air traffic control and\nsurface transportation systems, as well as financial systems that disburse over\n$50 billion in Federal funds each year.\n\nRESULTS IN BRIEF\nFor the last 3 years, DOT has reported its information security program as a\nmaterial internal control weakness under the Federal Managers\xe2\x80\x99 Financial Integrity\nAct (FMFIA).1 During FY 2004, DOT made a concerted effort to correct\nweaknesses identified in previous years. The most noteworthy improvements\nDOT has made since we began the annual information security review in FY 2001\ninclude:\n\n\xe2\x80\xa2 Increased oversight of IT investment management and security controls.\n  During FY 2004, the departmental Investment Review Board expanded its\n  review of OA investment projects and directed OAs to evaluate cost saving\n  opportunities by consolidating systems of common interests, such as grant\n  management. The Office of the Chief Information Officer (CIO office) also\n  performed more in-depth reviews of IT budget requests submitted by OAs than\n  in prior years.\n\n\xe2\x80\xa2 Strengthened protection of DOT\xe2\x80\x99s network infrastructure against internal and\n  external attacks. During FY 2004, DOT expanded its vulnerability checks to\n  cover not only its public web sites but also computers on OA private networks.\n  The CIO office also issued guidelines for configuring computers in a secure\n  manner to prevent vulnerabilities.\n\n\xe2\x80\xa2 Improved integrity, confidentiality, and availability of DOT program\n  operations that depend on computer systems support. During FY 2004, DOT\n\n\n1\n    A material internal control weakness is a significant deficiency in an agency\xe2\x80\x99s overall information systems security\n    program or management control structure, or within one or more information systems that (1) significantly restricts\n    the capability of the agency to carry out its mission, or (2) compromises the security of its information, information\n    systems, personnel, or other resources, operations, or assets. The risk is great enough that the agency head and\n    outside agencies must be notified and immediate or near-immediate corrective action must be taken. (OMB\n    Guidance on \xe2\x80\x9cFY 2004 Reporting Instructions for the Federal Information Security Management Act,\xe2\x80\x9d M-04-25,\n    August 23, 2004.)\n\x0c                                                                                    3\n\n\n   increased the percentage of systems completing the security certification\n   review from 33 percent to over 90 percent.\n\nAlthough DOT has made significant progress, this report identifies security issues\nthat require continued management attention. The most significant remaining\nissues are summarized below:\n\nThe CIO office and OAs need to better coordinate IT budget requests in\norder to more clearly describe the sources and uses of IT funds. This may\nrequire changes in how budget funds are allocated between the CIO office and the\nOAs. For example, an important DOT initiative is to consolidate multiple systems\nmaintained by individual OAs in 11 common business areas. Historically, each\nOA made its own investment decisions and submitted separate budget requests to\nfund its system operations. Consolidating systems in these common business\nareas will require a more centralized approach, and the Department may have to\nadjust its IT project management and budget submission practices. For example,\nconsolidation efforts may require the CIO office or one OA to take the lead,\nresulting in shifting budget requests among the OAs.\n\nThe FY 2006 budget will need to more clearly describe this consolidation effort\nand tie together the individual OA requests in each area so that oversight groups\nsuch as the Office of the Secretary, OMB, and congressional appropriators can\nunderstand the investments being made and the expected benefits of consolidating\nsystems in each business area. At the request of the Senate Appropriations\nCommittee, we are conducting an evaluation of the Department\xe2\x80\x99s IT budget\nsubmission and progress in enhancing IT investment controls and IT security. The\nreport, which will be issued in the first quarter of FY 2005, will contain the results\nand specific actions needed to improve IT budget presentations, including the need\nto clarify project management and budget responsibilities of the CIO office and\nOAs.\n\nThe quality of security certification reviews needs to be improved. The\nDepartment has made good progress in completing security certification reviews\nduring FY 2004. However, when we checked a sample of 20 systems, we\nidentified one or more deficiencies in 14 cases. These deficiencies included\ninadequate assessments of the risks facing the system; lack of evidence that tests\nwere performed and in one case, a test item that had been listed as \xe2\x80\x9cpassed\xe2\x80\x9d failed\nwhen we re-tested it; incomplete presentations of remaining weaknesses to\nresponsible senior officials; and approval to operate by senior officials who may\nnot have adequate authority to correct the remaining problems. The CIO office\nneeds to continue its efforts to enhance the quality of OA security certification\nreviews.\n\x0c                                                                                                                      4\n\n\nAir traffic control system security must be enhanced. During FY 2004, we\nissued an audit report concerning security and controls over air traffic control\nen route computer systems.2 En route systems are used to control high-altitude\n(over 18,000 feet) traffic. The report concluded that while air traffic control\nen route computer systems have limited exposure to the general public, they need\nto be better protected. Two issues in particular deserve special attention. First,\nalthough the Federal Aviation Administration (FAA) had certified that the en route\nsystems we reviewed were adequately secured, the reviews were limited to\ndevelopmental systems located at FAA\xe2\x80\x99s Technical Center computer laboratory.\nOperational systems deployed to en route centers also need to be reviewed. FAA\nhas agreed to review operational en route systems but, to comply with FISMA\nrequirements, FAA needs to commit to reviewing all operational air traffic control\nsystems\xe2\x80\x94at en route, approach control, and airport terminal facilities\xe2\x80\x94within\n3 years. Second, FAA has agreed to identify a cost-effective contingency plan to\nrestore essential air service in the event of a prolonged disruption of service at an\nen route facility. FAA will use the results of an alternatives analysis, due in\nDecember 2004, to identify a cost-effective alternative. FAA needs to commit to\nmaking the implementation of a robust contingency plan a priority.\n\nBased on the progress the Department has made and the current status of the\nsecurity program, we are of the opinion that the DOT\xe2\x80\x99s information security\nprogram should be considered a reportable condition.3 We plan to continue\nreviewing DOT\xe2\x80\x99s computer security program, focusing particular attention on\nFAA\xe2\x80\x99s progress in strengthening security over air traffic control systems. DOT,\nand FAA in particular, needs to make certain that it follows through aggressively\nto implement corrective actions in order to prevent the security program from\ndeteriorating into a significant deficiency next year. Progress completing\ncertification reviews of air traffic control systems and progress implementing and\ntesting an en route center contingency plan will be key measures of FAA\xe2\x80\x99s\ncommitment to address these issues.\n\nWe make a series of recommendations on pages 19 through 21 of this report to\nhelp the Department further enhance its information security protection and\noversight of its multi-billion dollar annual IT investments. The departmental CIO\noffice agreed with our findings and recommendations. We have requested DOT to\n\n2\n    OIG Report Number FI-2004-078, \xe2\x80\x9cAudit of Security and Controls over En Route Center Computer Systems,\xe2\x80\x9d\n    August 9, 2004. OIG reports can be accessed on our website: www.oig.dot.gov. The Department has determined\n    that this report contains Sensitive Security Information (SSI) as defined by 49 CFR Part 1520. Accordingly, it is not\n    available for public inspection or copying. The regulations provide that, under the Freedom of Information Act\n    (FOIA) and the Privacy Act, should a document contain both SSI and non-SSI information, the Department may\n    disclose the document with the SSI information redacted, so long as this information is not otherwise exempt from\n    disclosure under FOIA or the Privacy Act.\n3\n    A reportable condition is a security or management control weakness that does not rise to level of a significant\n    deficiency, yet is still important enough to be reported to internal management. (OMB Guidance on \xe2\x80\x9cFY 2004\n    Reporting Instructions for the Federal Information Security Management Act,\xe2\x80\x9d M-04-25, August 23, 2004.)\n\x0c                                                                                                                   5\n\n\nprovide written comments describing the specific actions it will take to implement\nthe recommendations.\n\nFINDINGS AND RECOMMENDATIONS\n\nManagement Controls\nDOT, with an annual IT budget of about $2.7 billion, is responsible for one of the\nlargest IT investment portfolios among civilian agencies. The Clinger-Cohen Act\nrequires DOT to appoint a CIO responsible for ensuring cost-effective IT\ninvestments, including proper security protection. In FY 2003, we reported that\nDOT appointed a CIO and increased the CIO\xe2\x80\x99s influence over IT decisions by\nforming a departmental Investment Review Board (the Board). The Board,\nchaired by the Deputy Secretary, has the authority to approve, modify, or\nterminate major IT investments. DOT\xe2\x80\x99s ability to improve computer security is\nclosely tied to the effectiveness of the IT review process because security must be\nconsidered when making investment decisions. Much of the value added by the\nestablishment of the CIO office will come through its involvement in investment\ndecisions.\n\nLast year, we concluded that it was too early to judge whether these changes\nwould substantially improve DOT\xe2\x80\x99s oversight of IT investments and security.\nSpecifically, we were concerned that the Board had focused its reviews on\ndepartment-wide IT projects, such as implementation of a new departmental\naccounting system, and had provided little oversight of OA-specific IT investment\nprojects. This was inadequate, considering that over 90 percent of the\nDepartment\xe2\x80\x99s IT budget is appropriated directly to OAs and a number of their\ninvestments had experienced significant cost overruns and schedule delays in\nrecent years. We were also concerned with the lack of substantive, in-depth\nreview of OA information technology budget submissions and poor\ncommunications between the Board and the OAs.4\n\nLast year, we recommended that the CIO office develop specific criteria for\nselecting high-risk IT investment projects for the Board to review, provide more\ninsightful oversight of IT budget requests, and ensure proper OA representation at\nthe Board\xe2\x80\x99s meetings and appropriate departmental representation at OA meetings.\nAt the request of the Senate Appropriations Committee, we are also evaluating the\n\n\n4\n    Seventy percent (42 out of 60) of the business cases for major IT investments submitted in FY 2003 were initially\n    rejected by the Office of Management and Budget due to a lack of proper alternative analyses, performance\n    evaluations, and life-cycle cost estimates.\n\x0c                                                                                                                    6\n\n\nDepartment\xe2\x80\x99s progress in enhancing IT investment controls and IT security. The\nfollowing summarizes the progress and improvements still needed.\n\nThe Board Needs a Better Process To Select Projects for Review\nThe Board has expanded its review of OA-specific IT investments. However, its\nreview has focused on projects that are already considered troubled because they\nhave experienced more than 10 percent cost increases or schedule delays. During\nFY 2004, the Board reviewed 10 IT projects managed by 7 OAs, including\ncomplicated air traffic control modernization projects. These projects were\ndeemed \xe2\x80\x9cat risk\xe2\x80\x9d and selected for Board review primarily because they had a more\nthan 10 percent increase in cost or schedule targets. However, other high-risk\nprojects were not reviewed because they did not show a more than 10 percent cost\nor schedule overrun after having been \xe2\x80\x9cre-baselined.\xe2\x80\x9d5 These projects nonetheless\nstill need senior management\xe2\x80\x99s close attention to prevent a recurrence of problems.\n\nIn recent years, we have issued several audit reports on FAA\xe2\x80\x99s major acquisitions\ninvolving extensive software development work that require senior management\nlevel attention.6 We reported that of 20 major acquisitions reviewed, 13 projects\nhad experienced schedule slips of 1 to 7 years, and 14 projects had experienced\ncost growth of over $4.3 billion (increasing from $6.8 billion to $11.1 billion).\nYet, the list of projects reviewed by the Board in FY 2004 did not include many of\nthose we reported as having cost and schedule problems. In response to our work,\nthe Board added three of FAA\xe2\x80\x99s major acquisition projects to its watch list\xe2\x80\x94the\nWide Area Augmentation System (WAAS), the Standard Terminal Automation\nReplacement System (STARS), and the Integrated Terminal Weather System\n(ITWS).\n\nWhile reviewing troubled projects is important, the Board also needs to monitor\nprojects that have not yet exceeded the 10 percent threshold in order to prevent\nprojects from becoming troubled. A key objective of the Board should be to\nprevent projects from breaching the threshold (10 percent overruns) and becoming\n\xe2\x80\x9ctroubled.\xe2\x80\x9d This is especially important considering that FAA is beginning new,\ncostly, and complex acquisition programs such as the En Route Automation\nModernization Program (ERAM), which will cost billions of dollars to implement,\nto provide new hardware and software for facilities that manage high altitude\ntraffic. In September 2004, the CIO office updated its criteria for selecting at-risk\nprojects for the Board\xe2\x80\x99s review, including projects re-baselined and projects\n\n5\n    The original cost estimates and planned implementation schedule displayed in business cases (also called Exhibit\n    300s) are referred to as \xe2\x80\x9cbaselines\xe2\x80\x9d for project management. The original cost and schedule baseline on the 300 can\n    be changed (\xe2\x80\x9cre-baselined\xe2\x80\x9d) upon approval by the Office of Management and Budget.\n6\n    OIG Report Number PT-2004-006, \xe2\x80\x9cDOT Top Management Challenges,\xe2\x80\x9d December 5, 2003, and OIG Report\n    Number AV-2003-045, \xe2\x80\x9cStatus of FAA\xe2\x80\x99s Major Acquisitions,\xe2\x80\x9d June 26, 2003.\n\x0c                                                                                                  7\n\n\nshowing a negative trend. We will report the progress of using these new criteria\nin selecting investment projects for the Board\xe2\x80\x99s review in next year\xe2\x80\x99s report.\n\nBetter Cost Estimates for IT Investments Are Needed\nThis year, both the Board and the CIO office performed more substantive, in-depth\nreviews of OA information technology budget submissions. During FY 2004, the\nDepartment prepared 58 business cases, also called Exhibit 300s by OMB, for\nmajor IT investment projects, totaling $2.1 billion. These budget requests were\nsubmitted for review much earlier than last year, thus allowing a more substantive\nreview by the CIO office. This early start, in conjunction with more experience in\nreviewing IT investment projects, helped strengthen DOT\xe2\x80\x99s investment\nmanagement controls. However, we continue to find that cost estimates for IT\ninvestment projects lack adequate support despite the existence of departmental\nguidance.7\n\nProject Management and Budget Responsibilities for IT Consolidation\nInitiatives Need To Be Defined\nThe Board provided more insightful oversight during the budget review process.\nHowever, the CIO office and OAs need to better coordinate IT budget requests in\norder to more clearly describe the sources and uses of IT funds. This may require\nchanges in how budget funds are allocated between the CIO office and the OAs.\nFor example, an important DOT initiative is to consolidate multiple systems\nmaintained by individual OAs in 11 common business areas. Historically, each\nOA made its own investment decisions and submitted a separate budget request to\nfund its system operations. Consolidating systems in these common business\nareas will require a more centralized approach, and the Department may have to\nadjust its IT project management and budget submission practices. For example,\nconsolidation efforts may require the CIO office or one OA to take the lead,\nresulting in shifting budget requests among the OAs.\n\nThe FY 2006 budget will need to more clearly describe this consolidation effort\nand tie together the individual OA requests in each area so that oversight groups\nsuch as the Office of the Secretary, OMB, and congressional appropriators can\nunderstand the investments being made and the expected benefits of consolidating\nsystems in each business area. At the request of the Senate Appropriations\nCommittee, we are conducting an evaluation of the Department\xe2\x80\x99s IT budget\nsubmission and progress in enhancing IT investment controls and IT security. The\nreport, which will be issued in the first quarter of FY 2005, will contain the results\nand specific actions needed to improve IT budget presentations, including the need\n\n7\n    OIG Report MH-2004-068, \xe2\x80\x9cInvestment Review Board\xe2\x80\x99s Deliberations on the Motor Carrier Management\n    Information System,\xe2\x80\x9d June 29, 2004.\n\x0c                                                                                  8\n\n\nto clarify project management and budget responsibilities of the CIO office and\nOAs.\n\nBetter OA Review of IT Investment Projects Is Needed\nThe communications between the Board and the OAs have improved significantly.\nDuring FY 2004, the Board expanded its membership to include OA\nrepresentatives. The Federal Aviation Administrator has joined the Board as a\nvoting member in reviewing and approving major IT investment projects. In\naddition, the Board created three additional members who will rotate among the\nremaining OAs. While the Board benefited from the OAs\xe2\x80\x99 input when reviewing\nmajor IT investment projects, more needs to be done to ensure that OA investment\nreview boards operate effectively.\n\nDOT guidance authorizes each agency to establish its own Board to review IT\ninvestment projects.        The departmental Board reviews only major\ninvestments\xe2\x80\x94projects exceeding certain dollar thresholds or those deemed to have\na significant impact on departmental missions. IT investment projects not meeting\nthese criteria are deemed non-major. These investment projects, totaling\n$600 million, should have been reviewed by OA Boards in accordance with the\nDOT policy. However, we found that non-major projects were not being\nadequately reviewed.\n\nThe CIO office needs to ensure that OAs follow departmental guidance when\nestimating IT project costs and OA Investment Review Boards adequately review\nand manage all IT investments.\n\nNetwork and Internet (Web) Services Security\nDOT uses over 400 public web sites to provide Internet services to the public and\nthousands of computers on its private networks to process sensitive information.\nTogether, they form the IT infrastructure to support DOT missions. DOT has\nmade significant strides in securing this infrastructure since we started performing\nannual computer security audits in FY 2001.\n\nIn FY 2001, we reported weaknesses in DOT\xe2\x80\x99s firewall security that allowed us to\ngain unauthorized access from the Internet to about 270 computers located within\nDOT\xe2\x80\x99s private network. In FY 2002, we reported that DOT had strengthened\nsecurity over the Internet entry points (the \xe2\x80\x9cfront door\xe2\x80\x9d). However, we found\nhundreds of unauthorized or unsecured telephone line connections to DOT\nnetworks (the \xe2\x80\x9cback door\xe2\x80\x9d) and hundreds of vulnerabilities in DOT web sites,\nwhich made the web sites vulnerable to denial-of-service attacks or defacement.\nIn FY 2003, we reported that DOT added security to its back-door network\nconnections, established security incidents response centers, and started checking\n\x0c                                                                                                                      9\n\n\npublic web sites for potential vulnerabilities. However, we also reported that\ncomputers on DOT\xe2\x80\x99s private networks were not checked for potential\nvulnerabilities, and DOT did not report all major security incidents to the\nresponsible Federal authority.\n\nDuring FY 2004, DOT took corrective actions by requiring OAs to perform\nvulnerability checks on their network computers, issuing guidance for secure\nconfiguration (or setup) of computers, and reporting all major incidents to the\nFederal authority. However, we identified the following concerns associated with\nthe OAs\xe2\x80\x99 vulnerability checks, configuration management, and security assurances\nfrom third-party contractors.\n\nVulnerability Checks Are Incomplete\nThe OAs\xe2\x80\x99 vulnerability checks did not cover all computers on their private\nnetworks, and vulnerabilities found were not always corrected in a timely fashion.\nFor example, we found that FAA checked vulnerabilities on major computer\nservers but not on end-user computers. As a result, tens of thousands of\nworkstations on its networks have not been checked for vulnerabilities. The same\nlimitation also applied to the Merchant Marine Academy\xe2\x80\x99s workstations. We also\nfound that there is a lack of prompt corrections of the vulnerabilities identified on\npublic web sites and on the Federal Railroad Administration\xe2\x80\x99s private networks.\n\nConfiguration Management Controls Need Improvement\nConfiguration management controls need enhancement and enforcement. Proper\nconfiguration is key to preventing computer vulnerabilities.8 FISMA requires\neach agency to develop specific IT security configuration requirements that meet\nits needs and to ensure compliance with them. During 2004, the CIO office issued\nsecurity baseline standards for configuring computers using these five software\npackages: server-based Windows, Linux, Solaris, Cisco (router), and wireless\ndevices such as the Personal Digital Assistants (PDA). OAs were required to\nconfigure their computers in accordance with these baseline standards by\nAugust 1, 2004.\n\nWhile DOT is moving in the right direction to implement configuration\nmanagement controls, it needs to issue configuration standards for additional\ncommonly used software and to develop a process to ensure that the controls are\nimplemented. The CIO office needs to develop configuration standards for at least\nthree additional software packages commonly used to support DOT\noperations\xe2\x80\x94PC-based Windows, the Oracle database, and web applications.\n\n8\n    For example, hackers can easily take total (root-level) control of a computer that is not configured with a password-\n    protected system administrator account.\n\x0c                                                                                                                 10\n\n\n\nWe estimate that three-quarters of the desk top computers on DOT networks use\nPC-based Windows software to store, process, and transmit data. The Oracle\ndatabase is used in key application systems, such as the departmental accounting\nsystem (Delphi), the Federal Highway Administration\xe2\x80\x99s grant management\nsystem, FAA\xe2\x80\x99s labor distribution system, and the National Highway Traffic Safety\nAdministration\xe2\x80\x99s defect investigation system. Web application software is used\nnot only to program web sites, but also to serve as the front-door interface to key\nDOT systems. Vulnerabilities embedded in web application software could leave\nDOT systems open to attacks. For example, in FY 2003, we found web\napplication vulnerabilities in the departmental accounting system that could have\nallowed intruders to access sensitive information. In FY 2004, one of DOT\xe2\x80\x99s web\nsites was defaced due to improper configuration of web application software.\nBoth vulnerabilities have been eliminated. In response to our recommendations,\nthe CIO office issued draft standards for secure configuration of the Oracle\ndatabase on September 27, 2004 and for web applications on September 29, 2004.\n\nIssuing security configuration standards alone is not enough to ensure computer\nsecurity. As required by FISMA, agencies must establish an enforcement program\nto ensure adequate monitoring and maintenance of the established configuration\nstandards. The CIO office needs to periodically verify OA compliance with the\nissued standards.\n\nWeb Service Contractors Did Not Provide Security Assurance\nOAs did not obtain security assurance for contractor-operated web sites. DOT has\nover 400 public web sites, some of which are operated by third-party contractors.\nIn FY 2002, we recommended that DOT require written assurance from\nthird-party contractors that the outsourced DOT web sites are adequately protected\nfrom cyber attacks. In response to our recommendations, the Assistant Secretary\nfor Administration issued a memorandum in February 2003 requiring that\ncontractors provide written assurance that all systems operated on behalf of DOT\nhad adequate security protections and that DOT could inspect their operations.9\n\nMore than a year later, we found DOT has not effectively implemented this\nrequirement. During FY 2004, using commercial scanning software, we scanned\n16 OA web sites that were operated by third-party contractors. We identified a\ntotal of 57 vulnerabilities (8 high and 49 medium).10 The summary of the\nscanning result is shown in Table 1.\n\n9\n     DOT memorandum, \xe2\x80\x9cInformation Security Requirements,\xe2\x80\x9d February 13, 2003.\n10\n     High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n     execution of remote commands. Medium-risk vulnerabilities may provide an attacker with useful information, such\n     as password files that they can then use to compromise a computer system.\n\x0c                                                                                 11\n\n\n      Table 1. Scanning Result of DOT Third-Party Websites\n                 Operating              Vulnerabilities       Number of\n               Administration*          Confirmed and          Websites\n                                          Corrected            Scanned\n                                       High    Medium\n                FAA                      0           4           1\n                FHWA                     2           21          6\n                FMCSA                    0           7           1\n                FRA                      4            7          3\n                FTA                      0           4           1\n                OST                      1            2          2\n                RSPA                     1            4          2\n\n                 Total                   8           49         16\n\n               * See Exhibit C for definitions of acronyms.\n\nWhile OAs took immediate actions to eliminate all of these vulnerabilities, most\ncould not provide us with security assurance from their contractors. We asked\nOAs to provide us with the written security assurance and any supporting\ndocumentation, such as the vendor\xe2\x80\x99s IT security plan, self-assessment results, or\nindependent evaluation reports. The Federal Highway Administration provided us\nits contractors\xe2\x80\x99 IT security plans. The Office of the Secretary, the Federal Transit\nAdministration, and the Federal Motor Carrier Safety Administration provided\ncertification and accreditation packages prepared by DOT for these contractor-\noperated web sites, but not any contractor-provided assurance. Other OAs did not\nprovide any evidence. Providing security assurance to DOT is part of each\ncontract and should be enforced because the lack of assurance puts the integrity,\nconfidentiality, and availability of DOT business operations at risk.\n\nThe CIO office needs to verify the completeness of OAs\xe2\x80\x99 vulnerability checks,\nensure that timely corrective actions are taken by OAs, finalize software\nconfiguration standards for Oracle database and web applications, develop\nstandards for PC-based Windows, check OA compliance with configuration\nstandards, and require OAs to obtain annual security assurance from contractors\noperating DOT-sponsored web sites or terminate the contractors\xe2\x80\x99 services.\n\nSystem Security\nHistorically, one of the persistent weaknesses concerning DOT\xe2\x80\x99s information\nsecurity program was the lack of system security certification reviews. They are a\ncritical and effective measure to ensure systems are adequately secured\ncommensurate with their individual operational risks. DOT had trailed behind the\nGovernment average by having only 10, 12, and 33 percent of its systems\n\x0c                                                                              12\n\n\ncomplete such reviews during FY 2001, FY 2002, and FY 2003, respectively. In\nFY 2003, we also reported cases where systems were certified as secure without\nhaving been tested, systems were accredited for operations by personnel not in a\nposition to do so, and estimated security costs were not supported or documented.\nWe recommended that the CIO office perform quality assurance checks of OA\nsecurity certification reviews.\n\nDuring FY 2004, DOT made a concerted effort to increase the number of system\nsecurity certification reviews and reported that 97 percent of its systems had\ncompleted such reviews. Meanwhile, DOT reduced its system inventory from\n630 systems to 485 (a reduction of 145). FAA reduced its inventory from\n421 systems to 285 (a reduction of 136)\xe2\x80\x9494 percent of the total reduction.\nTable 2 shows the change in inventory between FY 2003 and FY 2004 and the\nnumber of systems certified by OA.\n\n                Table 2. DOT System Inventory Changes\n            Operating                  FY 2003       FY 2004   FY 2004\n          Administration*               Total         Total    Certified\n       BTS                                 7             4           4\n       FAA                              421           285         274\n       FHWA                              25            24          24\n       FMCSA                             19            19          19\n       FRA                               22            22          22\n       FTA                                 7             9           9\n       MARAD                             12            12          11\n       NHTSA                             42            38          38\n       OST                               46            54          54\n       RSPA                              25            15          15\n       STB                                 3             2           2\n       SLSDC                               1             1           1\n        Total                           630           485         473\n      * See Exhibit C for definitions of acronyms.\n\nFAA stated that the overall reduction of 136 systems was primarily due to\ninventory consolidation, system additions, and system retirements. FAA provided\ndocumentation supporting the changes from last year. We reconciled FAA\xe2\x80\x99s\nsystem inventory to last year\xe2\x80\x99s record to ensure that all system components were\naccounted for. In addition, we reviewed the certification work performed on 20\nsystems to ensure the quality of the work. The following summarizes our review\nresults.\n\x0c                                                                              13\n\n\nA Significant Amount of Work Remains for Security Certification\nReviews\nWhile FAA provided adequate support to reconcile the inventory records between\nthe 2 years, we found that it will require continued management support and\nmonitoring to complete the remaining certification reviews.\n\n\xe2\x80\xa2 Inventory adjustments were supported. Based on our analysis, inventory\n  consolidation accounted for the majority of system reduction. We selected\n  nine systems from the consolidation listing for review and found that they all\n  were properly incorporated as components (sub-systems) of other systems in\n  FAA\xe2\x80\x99s inventory.\n\n\xe2\x80\xa2 Systems remain to be certified. Six of the 11 systems remaining to be\n  certified in FAA\xe2\x80\x99s inventory record involve local area network systems\n  installed at hundreds of locations. Since there is no assurance that network\n  systems at all these locations have the same configuration or operate the same\n  way, FAA may have to perform certification reviews at all installation sites.\n  This could require a significant amount of work.\n\nQuality of Security Certification Reviews Needs Improvement\nOur sample review of 20 systems identified deficiencies in 14 cases. Deficiencies\nwere in the areas of assessing system risk levels, testing security controls,\ninforming senior management of remaining security weaknesses, and approving\nsystems for operations through accreditation as shown in Table 3.\n\x0c                                                                                             14\n\n\n      Table 3. Quality of System Security Certification Reviews\n                                            No\n                          Inadequate     Evidence\n Systems Sampled*            Risk           of         Failed   Weaknesses   Weaknesses   Accredited\n(Number of Systems)          Level       Security       Our        Not          Not       By Inappro.\n                          Assessment      Testing       Test    Summarized   Mentioned      Official\nBTS Statistics Sys (1)         1            --           --         --           1             1\nFAA: Air Traffic\n        Control (5)              1            3         N/A         1            4            --\n        Others (5)               1            --        N/A         3            1            --\nFHWA Network (1)                 --           --         --         1            --           --\nFTA Network (1)                  --           --         --          1           --           --\nFMCSA Network (1)                --           --         --         --           1            --\nMARAD Financial (1)              --           --         1           1           --           --\nNHTSA Safety (1)                 --           --         --          1           --           1\nOST: Network (2)                 --           --        N/A         1            1            2\n        Telephone (1)            --           --        N/A         1            --           1\nRSPA Network (1)                 --           --         --         1            --           --\n Total                           3            3          1          11           8            5\n * See Exhibit C for definitions of acronyms.\n   N/A=We did not select these systems for independent tests.\n\n\n\xe2\x80\xa2 The system risk level was not properly assessed for 3 of 20 systems we\n  reviewed. This assessment is part of the overall system risk assessment and is\n  critical to determining the level of security protection and degree of testing\n  needed to certify that a system is adequately secured. The National Institute of\n  Standards and Technology and DOT have issued specific guidelines directing\n  OAs to perform such assessments based on the impact on agency business\n  should the system operations be compromised. We found that FAA assigned a\n  low-risk level to, and accordingly required low security protection and testing\n  for, two important systems\xe2\x80\x94an air traffic control surveillance system and a\n  labor distribution system that is used to manage labor forces and costs.\n  However, FAA had not performed the business impact analysis to justify the\n  low-risk rating.\n\n     We also found that the Bureau of Transportation Statistics (BTS) did not assign\n     any risk level or perform any business impact analysis for a critical\n     transportation statistics system. That system is widely used by DOT and the\n     industry to set rates for essential air services and to monitor major trends in the\n     transportation industry. Despite the lack of a risk assessment, BTS reported\n     that the system was adequately secured commensurate with the associated\n     risks.\n\n\xe2\x80\xa2 There was no evidence of testing for 3 of 20 systems we reviewed. One of the\n  key parts of the security certification review is the security testing and\n  evaluation process, which determines the system\xe2\x80\x99s compliance with specified\n\x0c                                                                                   15\n\n\n   security requirements. We did not find any documented evidence of security\n   control testing for three of the five air traffic control systems we sampled.\n\n   For the seven systems outside of FAA and the Office of the Secretary, we\n   randomly selected control items marked as \xe2\x80\x9cpassed\xe2\x80\x9d on the evaluation sheets\n   and subjected them to an independent testing. In one case\xe2\x80\x94a Maritime\n   Administration financial system\xe2\x80\x94the item we tested failed in our presence.\n   The system did not lock the user out after three unsuccessful logon attempts, as\n   indicated in testing documents. This is a basic but important access control.\n\n\xe2\x80\xa2 Remaining security weaknesses were not summarized so that accrediting\n  officials could easily evaluate remaining risks for 19 of 20 systems we\n  reviewed. The final step in a security certification and accreditation review is\n  for the authorizing official to accept (or accredit) the system as adequately\n  secured commensurate with its associated risks to support business operations.\n  The authorizing officials need to know what remaining risks and corrective\n  actions are planned before approving the system for operations.\n\n   All 20 systems we reviewed have remaining security weaknesses pending\n   corrections, but in only one case were remaining risks clearly summarized in\n   the signed certification letter. In 11 cases, the certification letter mentioned\n   that risks remained and referred the official to an attachment that described the\n   risks. However, the attachment (also called Plan of Actions and Milestones by\n   OMB) is a low-level document detailing individual security weaknesses found\n   and the progress of correction. It does not provide summary information the\n   senior official needs to understand the remaining risks before accrediting the\n   system for operations. In eight cases, the certification letter did not even\n   mention that remaining risks were described in an attachment. Current DOT\n   policy does not require risks to be summarized in the certification letter.\n   However, because accepting the remaining risks is the key element in the\n   accreditation process, we believe the risks should be clearly stated in the letter.\n\n\xe2\x80\xa2 Systems were not accredited for operations by the appropriate senior official\n  for 5 of 20 systems we reviewed. Federal and DOT guidance requires the\n  senior official who is primarily responsible for using a computer system (the\n  system user) to accredit the system for operations. Obtaining system\n  accreditation from the correct authorizing official is critical because this\n  official has to accept the system risk (impact) on business operations and\n  should also be able to allocate budget resources to secure the system. We\n  found that three Office of the Secretary communication systems and a National\n  Highway Traffic Safety Administration safety system were accredited by\n  technical managers, rather than by senior officials at a high enough level to\n  make budget trade-off decisions to allocate resources to address remaining\n\x0c                                                                                  16\n\n\n   problems. In addition, the BTS transportation statistics system had not been\n   accredited by the system user organization, even though BTS reported it had\n   been accepted for operations. All BTS provided was a certification statement\n   approved by its CIO stating that the system had passed testing.\n\nDuring FY 2004, the CIO office performed quality assurance checks on OAs\xe2\x80\x99\nsecurity certification work on 14 systems, but it did not share the review results\nwith OAs. The CIO office needs to increase the number of quality assurance\nchecks of OA security certification reviews, share the results with OAs to ensure\nthat improvements are communicated widely, and issue guidance to ensure\naccrediting officials are properly informed of remaining security weaknesses.\n\nWe are also recommending that the CIO office require FAA to justify the low risk\nlevel of the air traffic control surveillance system and the labor distribution\nsystem, examine FAA\xe2\x80\x99s procedures for testing air traffic control systems security,\nmodify its policy to ensure that accreditation statements are approved by\nappropriate senior officials, remove the BTS transportation statistics system from\nthe list of accredited systems, and examine the security certification review\nprocess employed by BTS for appropriateness.\n\nProtecting Critical National Infrastructure\nThe President designated the air traffic control system as part of the critical\nnational infrastructure due to the important role commercial aviation plays in\nfostering and sustaining the national economy and ensuring the safety and\nmobility of citizens. FAA is responsible for ensuring that air traffic control\nfacilities, systems, and operations are (1) protected from disruption from man-\nmade or natural events, and (2) able to resume services in a timely manner if\nservices are disrupted. Operational disruptions at any air traffic control facility\nhave the potential to create significant delays and interruption of air service.\nProlonged outages at major facilities, such as an en route center, would severely\ndisrupt air traffic, causing significant economic losses and subjecting travelers to\ndelays and inconvenience.\n\nIn FY 2003, we reported that FAA\xe2\x80\x99s security certification review of air traffic\ncontrol systems was too limited to provide assurance that operational systems\nwere adequately secure. The reviews covered only the developmental (prototype)\nsystems operating at the FAA computer laboratory. FAA has agreed to develop a\ntimetable to have all operational systems reviewed for adequate security but has\nnot yet established a schedule.\n\nDuring FY 2004, we issued an audit report concerning security and controls over\nair traffic control en route computer systems. En route systems are used to control\nhigh-altitude (over 18,000 feet) traffic. The report concluded that while air traffic\n\x0c                                                                                    17\n\n\ncontrol en route computer systems have limited exposure to the general public,\nthey need to be better protected. We made specific recommendations to enhance\nsystem, physical, and network access security; reduce risks of en route service\ndisruptions; strengthen FAA\xe2\x80\x99s overall contingency planning; and improve the\nsecurity review process for air traffic control computer systems.\n\nFAA management concurred with our findings and is taking corrective actions\nthat, when fully implemented, will enhance the integrity and availability of\nen route computer system operations. In that regard, two important issues deserve\nspecial attention. First, although FAA had certified that the en route systems we\nreviewed were adequately secured, the reviews were limited to developmental\nsystems located at FAA\xe2\x80\x99s Technical Center computer laboratory. Operational\nsystems deployed to en route centers also need to be reviewed. FAA has agreed to\nreview operational en route systems, but, to comply with FISMA requirements,\nFAA needs to commit to reviewing all operational air traffic control systems\xe2\x80\x94at\nen route, approach control, and airport terminal facilities\xe2\x80\x94within 3 years.\nSecond, FAA has agreed to identify a cost-effective contingency plan to restore\nessential air service in the event of a prolonged disruption of service at an en route\nfacility. FAA will use the results of an alternatives analysis, due in December\n2004, to identify a cost-effective alternative. FAA needs to commit to making the\nimplementation of a robust contingency plan a priority.\n\nWe are recommending that the departmental Investment Review Board monitor\nFAA\xe2\x80\x99s implementation of these corrective actions to ensure that FAA\n(1) completes security certification reviews of all operational air traffic control\nsystems within 3 years and (2) implements and tests a cost-effective contingency\nplan to restore essential air service in the event of a prolonged service disruption at\nan en route facility. We plan to continue reviewing air traffic control security\nissues and FAA\xe2\x80\x99s progress correcting the deficiencies. We will report on the air\ntraffic control system\xe2\x80\x99s security status in next year\xe2\x80\x99s FISMA report.\n\nSystem Contingency and Continuity Planning\nContingency plans allow business operations that depend on information systems\nto continue operating during system service disruptions. In FY 2003, we reported\ninadequate contingency planning for DOT systems (only 26 percent of systems\nhad such plans) and inadequate testing at recovery sites. In addition, we reported\nthat, to reduce the probability of losing both sites to the same disaster, DOT needs\nto develop guidance on the minimum geographic distance between system primary\nand recovery processing sites. We found cases where the backup sites were within\n10, 15, or 25 miles of the primary sites for systems critical to DOT operations.\n\nDuring FY 2004, DOT emphasized this area and reported that about 93 percent of\nsystems now have contingency plans. In May 2004, DOT participated in the\n\x0c                                                                                    18\n\n\nForward Challenge Exercise. The exercise focused on testing the communications\ncapability between the departmental and the OA command centers, in case the\nDOT Headquarters became uninhabitable. All DOT components participated in\nthe exercise and tested the communications capability with cell phones and\ne-mails.\n\nWe reviewed the contingency plans for eight business application systems within\nfour OAs. These systems are used to support a wide range of business functions.\nWe found that two systems did not have off-site disaster recovery capabilities, and\nthat three of the remaining six systems had no evidence of testing at the designated\ndisaster recovery sites. Table 4 shows the results of that review.\n\n        Table 4. Contingency Planning for Selected Systems\n        Operating                      Systems            Off-site    Evidence of\n      Administration*                                    Recovery      Testing\n                                                         Capability\n      FAA                   Cost Accounting                 No           N/A\n      FAA                   Labor Distribution             Yes           No\n      FAA                   Logistics Support              Yes           Yes\n      FAA                   Aircraft Safety Inspection     Yes           No\n      FAA                   Human Resources                Yes           No\n      MARAD                 Financial Management           Yes           Yes\n      NHTSA                 Crash Investigation            Yes           Yes\n      BTS                   Transportation Statistics       No           N/A\n     * See Exhibit C for definitions of acronyms.\n\nIn addition, we found that policy governing the physical distance between system\nprimary and backup processing sites has not been completed. The CIO office\nplans to issue this policy by December 2004. However, some OAs plan to invest\nmore money to further equip recovery sites that may not meet the minimum\ndistance requirements.\n\nThe CIO office needs to ensure that OAs do not make uneconomic investments in\nrecovery sites that could be superceded by the December 2004 policy and require\nOAs to develop and test off-site disaster recovery capabilities.\n\nPersonnel Security\nAnother persistent weakness concerning DOT\xe2\x80\x99s information security program was\nthe lack of background checks on contractor personnel. Background checks are\nimportant because of the large number of contractor personnel (about 18,000)\nperforming sensitive system work, such as air traffic control system development\nand maintenance, network security, and system security certification reviews.\nBackground checks help to determine whether a particular individual is suitable\n\x0c                                                                                                                19\n\n\nfor a given position. In FY 2003, we reported that DOT did not conduct\nbackground checks on contractor employees performing sensitive security work.\nAs a result, contractor personnel were given inappropriate access to sensitive\ninformation, such as system vulnerability assessments and threat analyses, without\nany background checks.\n\nDuring FY 2004, in response to our recommendations, DOT changed its practices\nby requiring background checks solely based on the sensitivity of the work and\nregardless of the contract length. Previously, checks were not performed if the\ncontract term was for less than 6 months. DOT also established new procedures11\nrequiring quarterly updates from OAs concerning contractor personnel, such as\nwho began work, who had access to DOT facilities and systems during that\nquarter, and who previously had access but no longer needed access.\n\nThis year, we sampled 122 contractor personnel who were associated with the\n20 systems we selected for review for background checks.12 All individuals had\nreceived proper background checks commensurate with the sensitivity of their\njobs.\n\nRECOMMENDATIONS\n\nTo improve IT management controls, we recommend that the DOT CIO:\n\n     1. Require OAs to follow departmental guidance when estimating IT project\n        costs.\n\n     2. Periodically review OA review board activities to ensure that they follow\n        existing guidance and adequately manage their IT investments.\n\nTo improve network and Internet (web) security, we recommend that the\nDOT CIO:\n\n     3. Periodically verify that the OAs have performed adequate vulnerability\n        checks and taken timely corrective actions on vulnerabilities identified.\n\n     4. Issue software configuration standards for PC-based Windows and finalize\n        the configuration standard for the Oracle database and web applications.\n\n     5. Periodically check OA compliance with configuration standards.\n11\n   The Assistant Secretary for Administration memorandum to all heads of Operating Administrations and secretarial\n   offices on May 17, 2004.\n12\n   In this audit, we limited the review of background checks to contractor personnel working on 20 computer systems.\n   We have a separate audit underway with more comprehensive coverage of this issue.\n\x0c                                                                                  20\n\n\n\n  6. Enforce the requirements that OAs obtain annual security assurance from\n     contractors that host OA web sites or terminate these contractors\xe2\x80\x99 services.\n\nTo enhance the quality of OA system security certification reviews, we\nrecommend that the DOT CIO:\n\n  7. Increase quality assurance checks of OA system certification work and\n     communicate the review results to OAs to ensure that identified weaknesses\n     are corrected timely.\n\n  8. Issue guidance requiring that remaining security weaknesses and needed\n     corrective actions be summarized and presented to the responsible senior\n     official when accrediting systems for operations.\n\n  9. Require FAA to justify the low-risk level assigned to one air traffic control\n     surveillance system and the labor distribution system, and examine FAA\xe2\x80\x99s\n     procedures for testing air traffic control system security.\n\n  10. Modify DOT guidance to ensure that accreditation statements are approved\n      by appropriate senior officials, and require the Office of the Secretary and\n      the National Highway Traffic Safety Administration to obtain accreditation\n      approval from higher level senior officials in the user organization for the\n      systems we identified.\n\n  11. Remove the BTS transportation statistics system from the list of accredited\n      systems, examine the security certification review process employed by\n      BTS for appropriateness, and obtain a new certification review.\n\nTo improve air traffic control system security, we recommend that the\ndepartmental Investment Review Board monitor FAA\xe2\x80\x99s implementation of\nthe following corrective actions:\n\n  12. Complete security certification reviews of all operational air traffic control\n      systems within 3 years.\n\n  13. Implement and test a cost-effective contingency plan to restore essential air\n      service in the event of a prolonged service disruption at an en route facility.\n\nTo improve system contingency planning, we recommend that the DOT CIO:\n\n  14. Review OA disaster recovery plans to ensure all OAs develop and test\n      off-site disaster recovery capabilities for critical business operations.\n\x0c                                                                               21\n\n\n   15. Ensure that OAs do not make uneconomic investments in recovery sites\n       that could be superceded by future policy guidance to be issued governing\n       the minimum distance between system primary and recovery processing\n       sites.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\nThe CIO office reviewed a draft of this report and provided oral comments. CIO\noffice officials stated that they were pleased that the report recognized the\nsignificant progress made this year to improve IT management and strengthen\ncomputer security.        They also agreed with the report\xe2\x80\x99s findings and\nrecommendations and stated they will provide written comments describing the\nspecific actions they will take to implement the recommendations.\n\nACTION REQUIRED\nIn accordance with Department of Transportation Order 8000.1C, we would\nappreciate receiving your written comments within 30 calendar days. Please\nindicate the specific actions taken or planned for each recommendation and a\ntarget date for completion. You may provide alternative courses of action that you\nbelieve would resolve the issues presented in this report.\n\nWe appreciate the courtesies and cooperation of the Office of the Chief\nInformation Officer and the Operating Administrations\xe2\x80\x99 representatives during this\naudit. If you have any questions concerning this report, please call me at (202)\n366-1992 or Theodore Alves, Assistant Inspector General for Financial and\nInformation Technology Audits, at (202) 366-1496.\n\n                                        #\n\n\ncc: Deputy Secretary\n    Federal Aviation Administrator\n    Martin Gertel, M-1\n\x0cEXHIBIT A. OIG INPUT TO FISMA REPORT                                                            22\n\n\n\n\n                                               2004 FISMA Report\n                  Agency:                             Department of Transportation\n\n\n                  Date Submitted:        10/01/2004\n\n                  Submitted By:          OIG\n\n                  Contact Information:\n                             Name:       Alexis M. Stefani\n                             E-mail:     alexis.stefani@oig.dot.gov\n                             Phone:      (202) 366-1992\n\n\n                                         To enter data in allowed fields, use password: fisma\n\x0c                                                                                                                                                                                                                         23\n\n\nSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n    A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs\n    and IG\'s shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n    A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                                   A.1                                                                                       A.2\n\n                                          A.1.a.               A.1.b.               A.1.c.                A.2.a.                  A.2.b.                 A.2.c.                  A.2.d.                 A.2.e.\n\n                                    FY04 Programs          FY04 Systems        FY04 Contractor         Number of                Number of               Number of      Number of systems     Number of\n                                                                                Operations or       systems certified         systems with          systems for which with a contingency systems for which\n                                                                                  Facilities         and accredited          security control        security controls        plan       contingency plans\n                                                                                                                             costs integrated        have been tested                     have been tested\n                                                                                                                            into the life cycle      and evaluated in\n                                                                                                                              of the system            the last year\n\n\n                                    Total  Number          Total     Number     Total    Number      Total    Percent of     Total    Percent of     Total     Percent of    Total   Percent of     Total Percent of\n            Bureau Name            Number Reviewed        Number    Reviewed   Number   Reviewed    Number      Total       Number      Total       Number       Total      Number     Total       Number   Total\n    BTS                                   1           1         4          1        1           0         0          0.0%         1        100.0%        1         100.0%        0          0.0%         0      0.0%\n    FAA                                   1           1       285         10       12          12        10        100.0%         8         80.0%        7          70.0%        9         90.0%         5     50.0%\n    FHWA                                  1           1        24          1        2           2         1        100.0%         1        100.0%        1         100.0%        1        100.0%         1    100.0%\n    FMCSA                                 1           1        19          1        4           1         1        100.0%         1        100.0%        1         100.0%        1        100.0%         0      0.0%\n    FRA                                   1           0        22          0        2           1         0\n    FTA                                   1           1         9          1        2           1         1        100.0%         1        100.0%        1         100.0%        1        100.0%         1    100.0%\n    MARAD                                 1           1        12          1        4           0         1        100.0%         1        100.0%        1         100.0%        1        100.0%         1    100.0%\n    NHTSA                                 1           1        38          1        2           1         1        100.0%         1        100.0%        1         100.0%        1        100.0%         1    100.0%\n    RSPA                                  1           1        15          1        0           0         1        100.0%         1        100.0%        1         100.0%        1        100.0%         1    100.0%\n    SLSDC                                 1           0         1          0        3           0         0\n    STB                                   1           0         2          0        0           0         0\n    OST                                   1           1        54          3        0           0         3        100.0%         3        100.0%        3         100.0%        3        100.0%         3    100.0%\n\n\n\n\nAgency Total                             12           9       485         20       32          18        19         95.0%        18         90.0%       17          85.0%       18         90.0%        13       65.0%\n\nComments:\nA.1.c: The total number of contractor operated facilities (32) was reported by DOT. However, during our review we found that Operating Administrations are reporting the number of contractor\noperations or facilities inconsistently. For example, three Operating Administrations (FAA, FHWA, and RSPA) did not include contractor provided web services in the reporting, while others did.\nA.2.a: Our sample review of 20 systems, which were reported as having completed C&A reviews, identified deficiencies in the areas of assessing system certification levels, testing security controls,\ninforming senior management of remaining security weaknesses, and approving systems for operations (accreditation). As a result of our review, we concluded the BTS system was not properly\nreviewed, and made a specific recommendation for the DOT CIO to examine the security certification review process employed by BTS for appropriateness.\nA.2.b: We did not find any funding requests, and associated security costs, for two systems in the Department\'s Exhibit 53 submission.\nA.2.c: As stated in our audit report, we did not find any documented evidence of security control testing for three of the five air traffic control systems we sampled.\nA.2.d. & A.2.e: We made specific recommendations to improve system contingency planning in our audit report.\n\x0c                                                                                                                                                                                                       24\n\n\n\n                                                                                                     A.3\n\n\n   A.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\n   comments in the Comment area provided below.\n\n\n                                                               Statement                                                                                          Evaluation\n\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of                             Mostly, or 81-95% of the time\n        FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST\n                                                                                                                                                         Mostly, or 81-95% of the time\n        self-assessment guide, 800-26.\n\n\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used\n                                                                                                                                                    Almost Always, or 96-100% of the time\n        addressed all elements of the NIST guide.\n\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                   Almost Always, or 96-100% of the time\n\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                            Almost Always, or 96-100% of the time\n\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                             Almost Always, or 96-100% of the time\n\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components)\n                                                                                                                                                    Almost Always, or 96-100% of the time\n        within the agency.\n\n                                                               Statement                                                                                          Yes or No\n\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                         Yes\n\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                   Yes\n\n\nComments:\nA.3.a,b&c: We reviewed 18 contractor operations and found that 2 did not receive any security reviews. The others received C&A reviews (13), self assessments (2), and a SAS-70 review (1). We\nhave concluded that all reviews complied with NIST 800-26.\n\nA.3.d&e: DOT reduced its system inventory from 630 to 485 systems (a reduction of 145). FAA reduced its inventory from 421 to 285 systems (a reduction of 136)--94 percent of the total reduction.\nFAA provided support and stated the reduction was due mainly to system consolidation. We were able to reconcile the inventory records between the 2 years.\n\nA.3.f: We agree with the number of programs and systems, however, as we commented under A.1.c., Operating Administrations did not consistently include contractor operated web sites in their\ninventories. We estimate that at least 9 contractor-operated web sites were not included in the number of contractor operations or facilities report by the CIO Office.\n\x0c                                                                                                                                                                               25\n\n\nSection B: Identification of Significant Deficiencies\nNOTE: ALL of Section B should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n   B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate\n   row, and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                          B.1.\n                                                                                                 FY04 Significant Deficiencies\n                                                            Number                                                                                               POA&M\n                                              Total        Repeated                                                                                            developed?\n             Bureau Name                     Number       from FY03                         Identify and Describe Each Significant Deficiency                   Yes or No\n                                                                          None reported\n\n\n\n\nAgency Total                                          0               0\n\n\nComments:\nFor the last 3 years, DOT has reported its information security program as a material internal control weakness under the Federal Managers\xe2\x80\x99 Financial Integrity Act\n(FMFIA). During FY 2004, DOT made a concerted effort to correct weaknesses identified in previous years. Based on the progress the Department made, we are of the\nopinion that the DOT\xe2\x80\x99s information security program should be reported as a reportable condition.\n\x0cSection C: OIG Assessment of the POA&M Process                                                                                                                    26\nNOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\nTo enter data in allowed fields, use password: fisma\n\n   C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan of\n   action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your agency\n   by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                                   C.1\n                                                 Statement                                                                      Evaluation\n\n        a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                Almost Always, or 96-100% of the time\n\n        b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                              Almost Always, or 96-100% of the time\n        operate (systems that support their program or programs) that have an IT security weakness.\n\n        c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                              Almost Always, or 96-100% of the time\n        progress.\n\n        d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                              Almost Always, or 96-100% of the time\n        system that supports their program or programs) that has an IT security weakness.\n\n        e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.       Mostly, or 81-95% of the time\n\n        f. The POA&M is the authoritative agency and IG management tool to identify and monitor agency\n                                                                                                              Frequently, or 71-80% of the time\n        actions for correcting information and IT security weaknesses.\n        g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                              Rarely, or 0-50% of the time\n        case as required in OMB budget guidance (Circular A-11).\n\n        h. OIG has access to POA&Ms as requested.                                                             Almost Always, or 96-100% of the time\n\n        i. OIG findings are incorporated into the POA&M process.                                              Sometimes, or 51-70% of the time\n\n\n        j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security\n                                                                                                              Mostly, or 81-95% of the time\n        weaknesses are addressed in a timely manner and receive appropriate resources.\n\n\nComments:\nC.e&f: The Department has developed a database to centrally track, maintain, and review the POA&Ms. However, because Operating Administrations are not\nconsistently updating the database, the centrally maintained POA&M information is not always reliable. OIG found inconsistent information between the database\nand the hard-copy POA&Ms prepared by Operating Administrations. The CIO office agreed to work with Operating Administrations to enhance the POA&M\ndatabase.\nC.g: Per OMB guidance, we reviewed the POA&Ms for 20 systems and found that project IDs, which enable OMB to tie POA&Ms directly to the system budget\nrequests, were missing for 15 systems. According to the CIO office, this information will be added.\n\nC.i: We sampled 4 systems which received audit coverage in FY 2004 and found critical findings were not incorporated into the system\'s POA&Ms in 2 cases.\n\x0c                                                                                                                                                                                27\n\n\n\n\n   C.1 OIG Assessment of the Certification and Accreditation Process\n   Section C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in order to provide a qualitative\n   assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification and accreditation process. Any new certification and\n   accreditation work initiated after completion of NIST Special Publication 800-37 should be consistent with NIST Special Publication 800-37. This includes use of the FIPS\n   199, \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as\n   guidance for completing risk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated before\n   finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance before it became final.\n\n\n\n                                                     Statement                                                                              Evaluation\n\n\nAs stated in our audit report, the Department has made good progress in completing security certification reviews\nduring FY 2004. However, when we checked a sample of 20 systems, we identified deficiencies in 14 systems. The\ndeficiencies were in the area of assessing systems risks; testing security controls; informing management of\nremaining weaknesses; and approving systems for operations. The CIO office agreed to continue its efforts to\nenhance the quality of OA security certification reviews.\n\n\nWe also identified the need for continued departmental management support and monitoring to complete the\nremaining certification reviews at FAA.\n\n\n\nWhile FAA certified air traffic control systems security, the reviews were limited to developmental systems located at                      Satisfactory\nFAA\xe2\x80\x99s Technical Center computer laboratory. Operational systems deployed to air traffic control facilities also need\nto be reviewed. To comply with FISMA requirements, FAA needs to commit to reviewing all operational air traffic\ncontrol systems\xe2\x80\x94at en route, approach control, and airport terminal facilities\xe2\x80\x94within 3 years.\n\n\n\nSix systems remaining to be certified by FAA involve local area network systems installed at hundreds of locations.\nSince there is no assurance that network systems at all these locations have the same configuration or operate the\nsame way, FAA may have to perform certification reviews at all installation sites.\n\x0cSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n                                                                                                                                                                  28\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide security configuration\n   requirements address each listed application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations\n   are implemented on applicable systems. For example: If your agency has a total of 200 systems, and 100 of those systems are running Windows 2000, the\n   universe for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration requirement policies, and the configuration controls\n   are implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area provided below.\n\n\n\n\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If appropriate\n   or necessary, include comments in the Comment area provided below.\n\n                                                                         D.1. & D.2.                                        D.1.                D.2.\n\n\n                                                                                                                            Yes,\n                                                                                                                           No, or\n                                                                                                                            N/A              Evaluation\nD.1. Has the CIO implemented agencywide policies that require detailed specific security configurations and what is the\ndegree by which the configurations are implemented?                                                                         Yes\n                a. Windows XP Professional\n\n                b. Windows NT\n\n                c. Windows 2000 Professional\n\n\n                d. Windows 2000\n\n\n                e. Windows 2000 Server\n\n\n                f. Windows 2003 Server\n\n\n                g. Solaris\n\n\n                h. HP-UX\n\n\n                i. Linux\n\n                j. Cisco Router IOS\n\n                k. Oracle\n\n                l. Other. Specify:\n\n                                                                                                                           Yes or\n                                                                                                                                             Evaluation\n                                                                                                                            No\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security\n        vulnerabilities?                                                                                                    Yes\n\nComments:\nD.1 a-l: During 2004, the CIO office issued security baseline standards for configuring computer systems using the following 5 software packages; server-based\nWindows, Linux, Solaris, Cisco (router), and wireless devices (PDA). As stated in our audit report, while DOT is moving at the right direction by implementing\nthese configuration management controls, we identified two enhancement needs\xe2\x80\x94issuing configuration standards for additional commonly used software and\ndeveloping an enforcement process. Since DOT is in the an early stages of implementing these standards, we plan to perform a more detailed review in FY\n2005.\n\x0c                                                                                                                                                                                      29\n\n\n\nSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                         E.1\n\n                                                          Statement                                                                                     Evaluation\n\n\n                 a. The agency follows documented policies and procedures for reporting incidents internally.                         Almost Always, or 96-100% of the time\n\n                 b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                      Almost Always, or 96-100% of the time\n                 authorities.\n                 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                      Almost Always, or 96-100% of the time\n                 Team (US-CERT). http://www.us-cert.gov\n                                                                                        E.2.\n   E.2. Incident Detection Capabilities.\n                                                                                                                                          Number of         Percentage of\n                                                                                                                                           Systems          Total Systems\n                         a. How many systems underwent vulnerability scans and penetration tests in FY04?                                             369\n                         b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                  Answer:\n                                     DOT uses Foundstone scanning software to regularly scan its 400 websites and about 14,000 computer systems on OAs internal networks.\n\n\n\n\nComments:\nE.2.a: DOT reported that 369 IP-based systems underwent vulnerability scans as part of its C&A requirements. We generally concurred with this statement based on our sample\nreview of system certification reviews.\nE.2.b: DOT has effectively followed applicable policies and procedures for reporting incidents internally and externally to law enforcement and to the US-CERT. DOT also used\nFoundstone scanning software to regularly scan its 400 websites and about 14,000 computer systems on Operating Administrations\' internal networks. However, as stated in our\naudit report, the vulnerability checks (scans) did not cover all computers on Operating Administrations\' private networks, and vulnerabilities found were not always corrected in a\ntimely manner.\n\x0c                                                                                                                                                                                 30\n\n\nSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the number\n   reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII, "Other". If\n   appropriate or necessary, include comments in the Comment area provided below\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area provided\n   below.\n                                                                              F.1., F.2. & F.3.\n                                                                                    F.1.                                                     F.2.\n                                                                      Number of Incidents, by category:                   Number of systems affected, by category, on:\n\n\n\n                                                                     F.1.a               F.1.b.         F.1.c.         F.2.a.          F.2.b.              F.2.c.\n                                                                  Reported           Reported to US- Reported to  Systems with Systems without     How many successful\n                                                                  internally             CERT            law     complete and up- complete and up- incidents occurred for\n                                                                                                     enforcement   to-date C&A      to-date C&A   known vulnerabilities for\n                                                                                                                                                     which a patch was\n                                                                                                                                                         available?\n\n\n\n\n                                                                                                                      Number of       Number of\n                                                                 Number of            Number of       Number of        Systems         Systems        Number of Systems\n                                                                 Incidents            Incidents       Incidents        Affected        Affected           Affected\n\n     I.   Root Compromise                                                       2                 0               0\n\n     II. User Compromise                                                        0                 0               0\n\n     III. Denial of Service Attack                                              0                 0               0\n\n     IV. Website Defacement                                                     5                 5               5\n\n\n     V. Detection of Malicious Logic                                            5                 5               0\n\n     VI. Successful Virus/worm Introduction                                    379             338                0\n\n     VII. Other                                                                 0                 0               0\n                                                      Totals:                  391             348                5               0               0                          0\n\nComments:\nThe totals provided in F.a.b and F.1.c. were provided by the Office of the CIO. However, according to US-CERT, DOT reported a total of 3,125 incidents in FY 2004.\nAccording to the CIO office, the difference is a result of different methods of categorizing an "incident." For example, the CIO office reports a virus as one incident, while\nthe US-CERT reports the number of machines affected by the virus.\n\x0c                                                                                                                                                                   31\n\n\n\nSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT\n   security responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                              G.1.\n     G.1.a.                  G.1.b.                G.1.c.                    G.1.d.                              G.1.e.                           G.1.f.\n\nTotal number of Employees that received IT Total number of Employees with significant              Briefly describe training provided         Total costs for\n employees in security awareness training employees with security responsibilities that                                                        providing IT\n     FY04        in FY04, as described in   significant IT     received specialized                                                         security training in\n                 NIST Special Publication      security      training, as described in                                                             FY04\n                         800-50            responsibilities NIST Special Publications                                                            (in $\'s)\n                                                                800-50 and 800-16\n\n\n\n                   Number        Percentage                        Number        Percentage\n\n\n\n    59,867          58,413            98             445              445             100              See Comment Box Below                    $463,616\n\n\n                                                                               G.2.\n                                                                            Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics                     Yes\n   training, or any other agency wide training?\n                                                                Yes             No\nComments:\nG.1.a,b,c,d: This information was provided by Office of the CIO. OIG generally concurs with the reported information based on our review of training\nrecords provided.\nG.1.e: DOT sponsored training in the areas of computer forensics, wireless security, intrusion detection, user awareness, identity theft, privacy, contingency\nplanning, certification & accreditation, designated approving authority, and risk management. On-site vendor training (CISSP), and computer-based training\n(system security administration, user awareness) were also provided.\n\x0c                                                                              32\n\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\nDuring fiscal year (FY) 2004, we fulfilled the requirements under FISMA by\nreviewing DOT major financial systems, FAA air traffic control systems, and the\nimplementation of IT capital planning and investment control procedures and\nDOT\xe2\x80\x99s modernization plan (Enterprise Architecture). In addition, we sampled 20\nOA systems that had undergone security certification reviews to determine\nwhether the OAs have complied with Government and DOT standards in assessing\nsystem risks, identifying security requirements, testing security controls, and\naccrediting systems to support business operations.\n\nWe reviewed the reasonableness of DOT\xe2\x80\x99s continued reduction of computer\nsystems in its inventory (from 630 to 485) during FY 2004 and assessed DOT\xe2\x80\x99s\nprogress in correcting weaknesses identified in last year\xe2\x80\x99s FISMA review. We\nalso provided input to DOT\xe2\x80\x99s FISMA report by answering questions specified by\nthe Office of Management and Budget.\n\nWe used the audit methodologies recommended by the Government\nAccountability Office, and guidelines issued by other Government authorities such\nas the National Institute of Standards and Technology. We used commercial\nscanning software to assess contractor-operated web site vulnerabilities.\n\nWe performed our work throughout FY 2004 and focused on reviewing FISMA\nreporting between July 2004 and September 2004 at DOT and OAs\xe2\x80\x99 Headquarters\nlocated in Washington, D.C. The audit was conducted in accordance with\nGovernment Auditing Standards prescribed by the Comptroller General of the\nUnited States and included such tests as we considered necessary to provide\nreasonable assurance of detecting abuse or illegal acts.\n\nWe previously issued three audit reports on DOT\xe2\x80\x99s information security program\nin response to the legislative mandate of the Federal Information Security\nManagement Act (FISMA), formerly the Government Information Security\nReform Act (GISRA). They are \xe2\x80\x9cDOT Information Security Program,\xe2\x80\x9d Report\nNumber FI-2003-086, September 25, 2003; \xe2\x80\x9cDOT Information Security Program,\xe2\x80\x9d\nReport Number FI-2002-115, September 27, 2002; and \xe2\x80\x9cDOT Information\nSecurity Program,\xe2\x80\x9d Report Number FI-2001-090, September 7, 2001.\n\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                         33\n\n\n\n\nEXHIBIT C. DOT OPERATING ADMINISTRATIONS\nBureau of Transportation Statistics (BTS)\n\nFederal Aviation Administration (FAA)\n\nFederal Highway Administration (FHWA)\n\nFederal Motor Carrier Safety Administration (FMCSA)\n\nFederal Railroad Administration (FRA)\n\nFederal Transit Administration (FTA)\n\nMaritime Administration (MARAD)\n\nNational Highway Traffic Safety Administration (NHTSA)\n\nOffice of the Secretary (OST)\n\nResearch and Special Programs Administration (RSPA)\n\nSurface Transportation Board (STB)\n\nSaint Lawrence Seaway Development Corporation (SLSDC)\n\n\n\n\nExhibit C. DO T Operating Admi nistrat ions\n\x0c                                                                      34\n\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS\nREPORT\nTHE FOLLOWING INDIVIDUALS CONTRIBUTED TO THIS REPORT.\n\n\n\n  Name                                Title\n\n  Rebecca Leng                        Deputy Assistant Inspector General\n                                       for Information Technology and\n                                       Computer Security\n\n  Nathan Custer                       Project Manager\n\n  Ping Sun                            Project Manager\n\n  Philip deGonzague                   Project Manager\n\n  Michael Marshlick                   Computer Scientist Advisor\n\n  James Mallow                        Senior Auditor\n\n  Henry Lee                           Senior Computer Scientist\n\n  John Johnson                        Senior Information Technology\n                                       Specialist\n\n  Mitchell Balakit                    Information Technology Specialist\n\n  Bradley Kistler                     Information Technology Specialist\n\n  Jean Yoo                            Information Technology Specialist\n\n  Aaron Nguyen                        Computer Scientist\n\n  Pinaki Sandra                       Information Technology Specialist\n\n\n\n\nExhibit D. Major Contributors to This Report\n\x0c'